Bug 9246 - SIGSEGV on readtoken
Summary: SIGSEGV on readtoken
Status: RESOLVED WONTFIX
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-13 12:48 UTC by Franco Costantini
Modified: 2016-09-17 18:56 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
gzipped test case (482 bytes, application/gzip)
2016-09-13 12:48 UTC, Franco Costantini 		Details
.config file (25.52 KB, text/plain)
2016-09-13 12:48 UTC, Franco Costantini 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Costantini 2016-09-13 12:48:12 UTC 
Created attachment 6656 [details]
gzipped test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8, __dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
51	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
#0  0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8, __dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#1  readtoken1 (c=<optimized out>, syntax=<optimized out>, eofmark=<optimized out>, striptabs=<optimized out>) at shell/ash.c:11646
#2  0x00000000004c3222 in readtoken () at shell/ash.c:11945
#3  0x00000000004c13c3 in peektoken () at shell/ash.c:12003
#4  list (nlflag=nlflag@entry=1) at shell/ash.c:10546
#5  0x00000000004c4738 in parsecmd (interact=<optimized out>) at shell/ash.c:12021
#6  0x00000000004c5cdb in cmdloop (top=top@entry=1) at shell/ash.c:12160
#7  0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#8  0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#9  0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2d "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#10 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#11 run_applet_and_exit (name=name@entry=0x7fffffffef1a "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#12 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-13 12:48:31 UTC 
Created attachment 6661 [details]
.config file
Comment 2 Denys Vlasenko 2016-09-17 18:56:05 UTC 
echo "..<100kbytes>..`true` $(true) `true` ..."

allocates 100kb for every command subst. With about
a hundred command substitutions stack overflows.
With larger prepended string, SEGV happens sooner.

I think while this is a deficiency, it is not likely to to impact
practical scripts. Adding FIXME in the source where it happens.
Won't fix now.